AVC Denied Dhcp and Iptables.
Wart
wart at kobold.org
Sun Jul 15 03:58:23 UTC 2007
Daniel J Walsh wrote:
> piotreek wrote:
>> Hi guys i found some strange messages in my logs. It seams that
>> selinux is blocking a dhcp an Iptables.
>> I found similar post on group about DHCP but my messages are
>> different.I am using FC7 latest policy update didn't resolve the problem.
>> P.S I am using firestater as my firewall.
> I believe you will need to write custom policy to make this work. You
> can simply add these rules using audit2allow.
>
> # grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc
>
> # semodule -i mydhcpc.pp
>
> Having dhcpc allowed to turn on/off firewall rules is of debatable
> security risk.
I'm noticing similar behavior with dhcp and ntp. It seems that for some
reason the dhcp client is trying to play with ntp (probably because I
define the ntp server in the dhcp server config) and failing:
type=AVC msg=audit(1184457984.239:75): avc: denied { remove_name } for
pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1184457984.239:75): avc: denied { unlink } for
pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1184457984.253:76): avc: denied { add_name } for
pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1184457984.253:76): avc: denied { create } for
pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1184457984.254:77): avc: denied { write } for
pid=6377 comm="touch" name="ntpd" dev=sdc1 ino=1632966
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
I can easily write a custom policy to allow this, but it feels like a
common enough configuration (ntp server configured by dhcp) that there
should be a global policy (or boolean?) to allow this to work.
--Mike
More information about the fedora-selinux-list
mailing list